Re: Admission Control to the IETF 78 and IETF 79 Networks
Chris Elliott <chelliot@pobox.com> Mon, 12 July 2010 19:13 UTC
Return-Path: <chelliot@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 949F73A6BD4 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 12:13:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.274
X-Spam-Level:
X-Spam-Status: No, score=-0.274 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjlJLbzM6ZY5 for <ietf@core3.amsl.com>; Mon, 12 Jul 2010 12:13:06 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id E68883A6B92 for <ietf@ietf.org>; Mon, 12 Jul 2010 12:13:05 -0700 (PDT)
Received: by gxk3 with SMTP id 3so3091627gxk.31 for <ietf@ietf.org>; Mon, 12 Jul 2010 12:13:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:references:in-reply-to :mime-version:content-transfer-encoding:content-type:message-id:cc :x-mailer:from:subject:date:to; bh=5QIa59EpoILHkTulub5mV0NyVqvR3pQNm3qAoJwgZD8=; b=rfRIXJirrHbYyqEcESKUo/ibqqGlvOO331rv74g3FBAzsB/p8dsDIrDFhvYkumIFVS mgEdbA0LkIYyVZMOQakel4g0b9HwByrL9nAklsvu1RCV+kX4dP5WE2daQmfVfPx7cSzw dZXhjaSlIIe16++DTmIB8rgnxmQ77lnenUC6E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; b=BOiC3e9ZLEdMlChMrfCmMJUD3++s1O/B4NUp2s00EPDxkpJVA3wbbxK1UoxaZXeeOI nA3msWkVCrFFfKbtfUu3w6FlqpJR0oGZYC1c97uCgbVvtRbIZjAv8LnReIp+12EwhbLx 46PPxQFD/hOAGiz6itrJglHy3qNehWt9KvXaQ=
Received: by 10.229.191.5 with SMTP id dk5mr8576931qcb.231.1278961991036; Mon, 12 Jul 2010 12:13:11 -0700 (PDT)
Received: from [10.0.1.9] (cpe-066-057-101-100.nc.res.rr.com [66.57.101.100]) by mx.google.com with ESMTPS id fb41sm20921609qcb.3.2010.07.12.12.13.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 12 Jul 2010 12:13:09 -0700 (PDT)
Sender: Chris Elliott <chelliot@gmail.com>
References: <CFB08C07-DE90-47BE-ADFF-FC72162BBFA1@daedelus.com> <4C2BBD51.2060605@ietf.org> <6.2.5.6.2.20100701070804.0c26b8a0@resistor.net> <6D6E25E2-057B-4591-9288-1283036D0374@cisco.com> <AANLkTinMFsrGyIy9bu5kzUiZqNmDbf7lpS-eht8h3hvP@mail.gmail.com> <CCD1D0AD-97DC-4CE0-9E27-CC75B5F47C54@muada.com> <AANLkTilVmeg2Tgjgllg2yT3Oc34Y4ZuwXwl9U1ELfjhc@mail.gmail.com> <20100706170631.GK25518@thunk.org> <AANLkTil357pxy8tD49Q9ds9QVlSjo9h3p3akSN9UF1XS@mail.gmail.com> <AANLkTil0YIS9H-vYxIJJS_OC7tAlcCLQQycskFcLE71V@mail.gmail.com> <AANLkTilVAn3j-iXbdytu9en-OWAjlCFQSyQy1jiY1Zq1@mail.gmail.com> <AANLkTilCRrRhYVBNKdkaBudacJDCbBx3_48D9_U2RaSM@mail.gmail.com> <AANLkTinqiZaI-g042rVX0veLSpsVho0smH3XMkg6E7d_@mail.gmail.com>
In-Reply-To: <AANLkTinqiZaI-g042rVX0veLSpsVho0smH3XMkg6E7d_@mail.gmail.com>
Mime-Version: 1.0 (iPhone Mail 8A293)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-Id: <F08DB980-41E2-41A8-AF03-1E917A2B3903@pobox.com>
X-Mailer: iPhone Mail (8A293)
From: Chris Elliott <chelliot@pobox.com>
Subject: Re: Admission Control to the IETF 78 and IETF 79 Networks
Date: Mon, 12 Jul 2010 15:12:13 -0400
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: Iljitsch van Beijnum <iljitsch@muada.com>, "tytso@mit.edu" <tytso@mit.edu>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2010 19:13:08 -0000
Phillip, I read all of all your emails on this thread before I replied the first time, just not your book. We will be and we have been "eat[ing] the WiFi authentication dog-food" at IETF meetings. And it's gotten easier each time. You do realize, don't you, that we are offering WPA/WPA2 with enterprise authentication and encryption as our recommended way of getting onto the network, right? We are only offering a web portal so that folks that can't do WPA* can authenticate. And we've been offering WPA* enterprise on most IETF networks for many years. The difference this time is we are going to unique user credentials. I anticipate the time it will take for most attendees to authenticate will be the time it takes to type in a username and password--far under a half an hour, unless the attendee is Stephen Hawking, in which case I will personally help the attendee authenticate! There will be those with problems. That's why there's a help desk. Chris. P.S. bring a copy of your book to Maastricht and I'll bring a copy of mine and we'll do a prisoner exchange. :-) -- Chris Elliott CCIE # 2013 On Jul 12, 2010, at 2:35 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > Well maybe if you read the full thread rather than just cherry picking > parts of it you would have understood the point better. > > My original argument was that I think the IETF should eat the WiFi > authentication dog-food here because the current product tastes like > poo and the only way things are going to get any better is if a bunch > of network engineers start to see that there is a real problem. > > > I have also proposed a scheme that would be applicable for use at the > IETF. Basically the shortest distance from where we are to where we > want to be is to use self signed certs and use the fingerprint of the > cert as a unique device ID. But that is only addressing the specifics > of how to make the scheme work at IETF, which is really not very > interesting in the grand scheme of things. What is more interesting > would be a scheme that can be relied on to work anywhere without half > an hour of fiddling and jiggering the configuration - as will be the > Maastricht/Beijing experience. > > The first year they started doing this at RSA the help desk had a > pretty long queue and much time was spend debugging crappy code. The > basic experience being that Macs work fine, Windows works fine with > native drivers. But corporate configuration laptops with device > drivers written by the WiFi card provider and/or VPN products were > massively flaky.. > > > On Mon, Jul 12, 2010 at 1:53 PM, Chris Elliott <chelliot@pobox.com> wrote: >> On Mon, Jul 12, 2010 at 12:07 PM, Phillip Hallam-Baker <hallam@gmail.com> >> wrote: >>> >>> No, if you read my book you would see the scheme I am proposing. >> >> >> I hope your book is rather less opaque than your attempts to explain your >> technique here. >>> >>> The problem with current MAC addresses is that they are not >>> trustworthy. That is accepted. If MAC addresses were not trivially >>> forged then the existing WiFi scheme would work fine. >>> >>> What I am saying is that if people got really serious about usability >>> and in particular the WiFi design had been controlled by a Steve Jobs >>> style person who demanded an absolute commitment to a first class >>> usability approach, then we could have a scheme that did not require >>> end-user configuration. >>> >>> Instead every device would have been issued with a device cert to bind >>> the MAC address to a public key during manufacture. This is already a >>> requirement for cable modems. The cost is of the order of cents per >>> device if the certs are installed during manufacture. Maintenance >>> costs get much higher as soon as the device has left the factory. >>> >>> The function of the certificate is to stop the MAC address being >>> trivially forged. OK yes, if you design the protocols wrong then you >>> can end up with Cisco being able to intercept on the wire traffic. But >>> if you do the job right you can prevent interception even if the >>> manufacturer defects. >> >> I thought we were talking about how to do this for the meeting in Maastricht >> and then in Beijing. I agree that manufacturers could make this easier for >> all of us. But some of us live in the real world and must make things work >> today. >> I'd be glad to listen to an explanation of how to make this work with the >> current devices that IETF attendees will be bringing to Maastricht and >> Beijing. >> Chris. >> >>> >>> And as for my waist - yes there does seem to be rather more of it than >>> there should be, but I don't think that is Dogbert's fault. I blame >>> the cookies at IETF break time. >>> >>> >>> On Mon, Jul 12, 2010 at 11:56 AM, Chris Elliott <chelliot@pobox.com> >>> wrote: >>>> Phillip, >>>> In your earlier email, you state: >>>>> >>>>> If the designers had actual brains instead of bits of liver strapped >>>>> round their waist by dogbert then all that would be necessary to >>>>> securely authenticate to the network is to give either the MAC address >>>>> of the computer or the fingerprint of the cert. >>>> >>>> Note that you say "either". Now you state: >>>>> >>>>> Of course the MAC address is trivially forged. That is the function of >>>>> the certificate. >>>> >>>> Maybe you should check your waist. >>>> Chris. >>>> >>>> -- >>>> Chris Elliott >>>> chelliot@pobox.com >>> >>> -- >>> Website: http://hallambaker.com/ >> >> >> >> -- >> Chris Elliott >> chelliot@pobox.com >> CCIE # 2013 > > > > -- > Website: http://hallambaker.com/
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Admission Control to the IETF 78 and IETF 79 Netw… IETF Chair
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Fred Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Olivier MJ Crepin-Leblond
- Re: Admission Control to the IETF 78 and IETF 79 … Dave CROCKER
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Marshall Eubanks
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew Sullivan
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Ted Hardie
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Richard L. Barnes
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … David Conrad
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … John C Klensin
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Michael StJohns
- Re: Admission Control to the IETF 78 and IETF 79 … Randy Bush
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- Re: Admission Control to the IETF 78 and IETF 79 … Russ Housley
- free internet for ieters only Health
- Re: Admission Control to the IETF 78 and IETF 79 … Robert Moskowitz
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Bob Hinden
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … SM
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Andrew G. Malis
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Ole Jacobsen
- Re: Admission Control to the IETF 78 and IETF 79 … Marocco Enrico
- Re: Admission Control to the IETF 78 and IETF 79 … Joel Jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … tytso
- Re: Admission Control to the IETF 78 and IETF 79 … Mark Atwood
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … joel jaeggli
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Martin Rex
- Re: Admission Control to the IETF 78 and IETF 79 … Chris Elliott
- Re: Admission Control to the IETF 78 and IETF 79 … Douglas Otis
- Re: Admission Control to the IETF 78 and IETF 79 … Donald Eastlake
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … Iljitsch van Beijnum
- Re: Admission Control to the IETF 78 and IETF 79 … IETF Chair
- RE: Admission Control to the IETF 78 and IETF 79 … Josh Howlett
- Re: Admission Control to the IETF 78 and IETF 79 … Phillip Hallam-Baker